UPDATE: The bill has been tabled after being greeted by "vehement opposition."

This morning, Hawaiian state legislators held a hearing on a state bill that could have dire consequences for online privacy. HB 2288 (PDF) would force any company that provides Internet access to consumers in Hawaii to keep undefined “consumer records” for two years, including historical records on the sites a user visited as well as assigned IP addresses. This bill would affect anyone using the Internet in Hawaii, not just those suspected of a crime. And it would cover any business – from libraries and coffee shops to employers – not just ISPs. EFF has been fighting against mandatory data retention programs around the world and in the United States, but this is one of the most poorly drafted pieces of data retention legislation we’ve ever seen. If passed, HR 2288 would infringe on the privacy of hundreds of thousands of Hawaiian citizens as well as any tourists who used Internet services while visiting the Aloha State.

The language from HR 2288 states:

Recordkeeping requirements for internet service providers. Any internet service provider that providers internet service to a consumer in the State shall retain consumer records for no less than two years. The required data for the consumer records shall include each subscriber's information and internet destination history information. Destination information shall include any of the following:

(1) Internet protocol address;

(2) Domain name; or

(3) Host name

In effect, Internet access providers would at least be forced to keep historical records on every website an individual visited and presumably associate that with his or her assigned IP address. This raises a host of issues, including privacy considerations, free speech concerns, and burdens to internet access providers.

EFF has long articulated the civil liberties impact of data retention regimes.  Taken altogether, our online reading habits create a detailed picture of our daily concerns and interests, indicating facts about our age, wealth, interests, sexual orientation, religion, political affiliations and much more.  Collecting and maintaining such vast swaths of consumer data can create a honeypot ripe for abuse by hackers, civil litigants, and law enforcement. There are also numerous examples of private companies inadvertently exposing the sensitive data of individuals through mishandling and accidental disclosure.

Furthermore, storing online reading records could have a chilling effect on user browsing; individuals might avoid researching sensitive issues (like unpopular political opinions or medical conditions) if they know that information will be stored and associated with their profiles for years to come. 

As the Center for Democracy and Technology (CDT) pointed out in its recent memo on data retention, forcing ISPs to maintain detailed historical records on subscriber data can create extraordinary technical and financial burdens. CDT rightly notes that there are numerous situations in which IP addresses are shared (such as in coffee shops, work places, and airports) and that they can’t reliably identify an end user. We couldn’t agree more. They also emphasized the financial burdens on ISPs, especially smaller and rural service providers who could find such measures cost prohibitive. 

Data retention mandates like Hawaii’s HB 2288 treat everyday Internet users like potential criminals. Please help us combat these wrong-minded proposals. If you are in Hawaii, please look up your state representatives here and call them (don’t email) immediately. Individuals across the U.S. can also send an email to Congress opposing federal data retention mandates through our action center.